OpenID Security Flaw Lets Hackers Impersonate Users

Researchers have detected a serious vulnerability in some implementations of OpenID 2.0, which could enable malicious attackers to could gain unauthorized access to a user's account by altering traveling information.

The security flaw, which exists in several instances of the parties that implement Attribute Exchange (AX), a function that permits sites to exchange information between endpoints, prevents some sites from confirming that the information passing through AX has been signed.

Subsequently, AX could validate all of the passing information, including the identity of an unknown user, which enables an attacker to modify the data to his or her advantage or impersonate a victim without detection.

"If the site is only using AX to receive low-security information like a user's self-asserted gender, then this will probably not be a problem," according to an OpenID advisory posted Thursday. "However, if it is being used to receive information that it only trusts the identity provider to assert, then it creates the potential for an attack."

In a successful attack scenario, hackers could manipulate the OpenID transaction and potentially access the victim’s account.

Researchers at OpenID have already created a fix for the flaw, and impacted Web sites have deployed the update.

Thus far, there are no known attacks in the wild exploiting the flaw.

Researchers at OpenID have confirmed that apps using OpenID4Java are especially prone to accepting unsigned attributes and recommends that users update to the latest version, 0.9.6. In addition, Key Framework also had been vulnerable, but was repaired in version 1.0.2.

However, other libraries, such as Janrain, Ping Identity and DotNetOpenAuth are not vulnerable to attack.

In order to reduce the risk of a possible attack down the road, OpenID also suggests that users modify the application code to accept only signed attribute values.